Changes in 6b45164: bug5503: added ShiroFilter subclass to skip authentication for OPTIONS requests

				java/com.sap.sailing.domain.igtimiadapter.gateway/WEB-INF/web.xml
			
          @@ -27,7 +27,7 @@

               </listener>

               <filter>

                   <filter-name>ShiroFilter</filter-name>

          -        <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

          +        <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>

               </filter>

               <!-- Make sure any request you want accessible to Shiro is filtered. "/*" 

                    catches all requests. Usually this filter mapping is defined first (before all

				java/com.sap.sailing.gwt.ui/WEB-INF/web.xml
			
          @@ -36,7 +36,7 @@

           	</listener>

           	<filter>

           		<filter-name>ShiroFilter</filter-name>

          -		<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

          +		<filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>

           	</filter>

           	<!-- Make sure any request you want accessible to Shiro is filtered. "/*" 

           		catches all requests. Usually this filter mapping is defined first (before all

				java/com.sap.sailing.hanaexport/WEB-INF/web.xml
			
          @@ -24,7 +24,7 @@

             </listener>

             <filter>

               <filter-name>ShiroFilter</filter-name>

          -    <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

          +    <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>

             </filter>

             <!-- Make sure any request you want accessible to Shiro is filtered. "/*" 

               catches all requests. Usually this filter mapping is defined first (before all

				java/com.sap.sailing.landscape.gateway/WEB-INF/web.xml
			
          @@ -24,7 +24,7 @@

           	</listener>

           	<filter>

           		<filter-name>ShiroFilter</filter-name>

          -		<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

          +		<filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>

           	</filter>

           	<!-- Make sure any request you want accessible to Shiro is filtered. "/*" 

           		catches all requests. Usually this filter mapping is defined first (before

				java/com.sap.sailing.polars/WEB-INF/web.xml
			
          @@ -24,7 +24,7 @@

           	</listener>

           	<filter>

           		<filter-name>ShiroFilter</filter-name>

          -		<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

          +		<filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>

           	</filter>

           	<!-- Make sure any request you want accessible to Shiro is filtered. "/*" 

           		catches all requests. Usually this filter mapping is defined first (before

				java/com.sap.sailing.server.gateway.test.support/WEB-INF/web.xml
			
          @@ -14,7 +14,7 @@

             </listener>

             <filter>

               <filter-name>ShiroFilter</filter-name>

          -    <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

          +    <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>

             </filter>

             <!-- Make sure any request you want accessible to Shiro is filtered. "/*" catches all requests. Usually this filter mapping 

               is defined first (before all others) to ensure that Shiro works in subsequent filters in the filter chain: -->

				java/com.sap.sailing.server.gateway/WEB-INF/web.xml
			
          @@ -25,7 +25,7 @@

             </listener>

             <filter>

               <filter-name>ShiroFilter</filter-name>

          -    <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

          +    <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>

             </filter>

             <!-- Make sure any request you want accessible to Shiro is filtered. "/*" 

               catches all requests. Usually this filter mapping is defined first (before all

				java/com.sap.sailing.shared.server.gateway/WEB-INF/web.xml
			
          @@ -25,7 +25,7 @@

             </listener>

             <filter>

               <filter-name>ShiroFilter</filter-name>

          -    <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

          +    <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>

             </filter>

             <!-- Make sure any request you want accessible to Shiro is filtered. "/*" 

               catches all requests. Usually this filter mapping is defined first (before all

				java/com.sap.sailing.windestimation/WEB-INF/web.xml
			
          @@ -24,7 +24,7 @@

           	</listener>

           	<filter>

           		<filter-name>ShiroFilter</filter-name>

          -		<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

          +		<filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>

           	</filter>

           	<!-- Make sure any request you want accessible to Shiro is filtered. "/*" 

           		catches all requests. Usually this filter mapping is defined first (before

				java/com.sap.sailing.www/WEB-INF/web.xml
			
          @@ -38,7 +38,7 @@

             </listener>

             <filter>

               <filter-name>ShiroFilter</filter-name>

          -    <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

          +    <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>

             </filter>

             <!-- Make sure any request you want accessible to Shiro is filtered. "/*" catches all requests. Usually this filter mapping 

               is defined first (before all others) to ensure that Shiro works in subsequent filters in the filter chain: -->

				java/com.sap.sse.landscape.aws/WEB-INF/web.xml
			
          @@ -25,7 +25,7 @@

             </listener>

             <filter>

               <filter-name>ShiroFilter</filter-name>

          -    <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

          +    <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>

             </filter>

             <!-- Make sure any request you want accessible to Shiro is filtered. "/*" 

               catches all requests. Usually this filter mapping is defined first (before

				java/com.sap.sse.replication/WEB-INF/web.xml
			
          @@ -27,7 +27,7 @@

               </listener>

               <filter>

                   <filter-name>ShiroFilter</filter-name>

          -        <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

          +        <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>

               </filter>

               <!-- Make sure any request you want accessible to Shiro is filtered. "/*" 

                    catches all requests. Usually this filter mapping is defined first (before all

				java/com.sap.sse.security.ui/WEB-INF/web.xml
			
          @@ -32,7 +32,7 @@

               </listener>

               <filter>

                   <filter-name>ShiroFilter</filter-name>

          -        <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

          +        <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>

               </filter>

               <!-- Make sure any request you want accessible to Shiro is filtered. "/*" 

                   catches all requests. Usually this filter mapping is defined first (before all

				java/com.sap.sse.security/META-INF/MANIFEST.MF
			
          @@ -43,6 +43,7 @@ Web-ContextPath: /security

           Export-Package: com.sap.sse.security,

            com.sap.sse.security.impl;x-friends:="com.sap.sailing.domain.test,com.sap.sailing.server.testsupport",

            com.sap.sse.security.jaxrs,

          + com.sap.sse.security.shiro,

            com.sap.sse.security.subscription,

            com.sap.sse.security.subscription.chargebee,

            com.sap.sse.security.util,

				java/com.sap.sse.security/WEB-INF/web.xml
			
          @@ -40,7 +40,7 @@

               </filter-mapping>

           	<filter>

           		<filter-name>ShiroFilter</filter-name>

          -		<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

          +		<filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>

           	</filter>

           	<!-- Make sure any request you want accessible to Shiro is filtered. "/*" 

           	     catches all requests. Usually this filter mapping is defined first (before all

				java/com.sap.sse.security/src/com/sap/sse/security/shiro/ShiroFilterForAllButOptionsRequests.java
			
          @@ -0,0 +1,60 @@

          +package com.sap.sse.security.shiro;

          +

          +import java.io.IOException;

          +

          +import javax.servlet.ServletException;

          +import javax.servlet.ServletRequest;

          +import javax.servlet.ServletResponse;

          +import javax.servlet.http.HttpServletRequest;

          +

          +import org.apache.shiro.web.servlet.ShiroFilter;

          +

          +/**

          + * A special {@link ShiroFilter} that disables itself for HTTP requests using the <tt>OPTIONS</tt>

          + * method. This is useful because such requests are generally sent without authentication / authorization

          + * information as all HTTP headers are usually stripped from these requests. Yet, browsers depend on

          + * these "pre-flight" requests to succeed with a 2XX response status in order to continue with the real

          + * request (which then uses proper <tt>Authorization</tt> headers).<p>

          + * 

          + * Since responses to <tt>OPTIONS</tt> requests don't contain any payload in their body, ignoring the

          + * authorization and authentication and instead returning full CORS headers is so intended and a 2XX

          + * status is what helps browsers to continue the right way.<p>

          + * 

          + * Use this in your web.xml file, e.g., like so:

          + * <pre>

          + *      &lt;filter&gt;

          + *          &lt;filter-name&gt;ShiroFilter&lt;/filter-name&gt;

          + *          &lt;filter-class&gt;com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests&lt;/filter-class&gt;

          + *      &lt;/filter&gt;

          + *      &lt;filter-mapping&gt;

          + *          &lt;filter-name&gt;ShiroFilter&lt;/filter-name&gt;

          + *          &lt;url-pattern&gt;/*&lt;/url-pattern&gt;

          + *          &lt;dispatcher&gt;REQUEST&lt;/dispatcher&gt;

          + *          &lt;dispatcher&gt;FORWARD&lt;/dispatcher&gt;

          + *          &lt;dispatcher&gt;INCLUDE&lt;/dispatcher&gt;

          + *          &lt;dispatcher&gt;ERROR&lt;/dispatcher&gt;

          + *      &lt;/filter-mapping&gt;

          + * </pre>

          + * 

          + * @author Axel Uhl (d043530)

          + *

          + */

          +public class ShiroFilterForAllButOptionsRequests extends ShiroFilter {

          +    /**

          +     * Enables this filter for all request methods other than OPTIONS where

          +     * authentication information cannot be expected to be provided, yet as

          +     * no content will be delivered, the request shall not fail for lack of

          +     * proper authentication.

          +     */

          +    @Override

          +    protected boolean isEnabled(ServletRequest request, ServletResponse response) throws ServletException, IOException {

          +        final boolean result;

          +        if (request instanceof HttpServletRequest && ((HttpServletRequest) request).getMethod().equals("OPTIONS")) {

          +            result = false;

          +        } else {

          +            result = super.isEnabled(request, response);

          +        }

          +        return result;

          +    }

          +

          +}

				java/com.sap.sse.threadmanager/WEB-INF/web.xml
			
          @@ -25,7 +25,7 @@

             </listener>

             <filter>

               <filter-name>ShiroFilter</filter-name>

          -    <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

          +    <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>

             </filter>

             <!-- Make sure any request you want accessible to Shiro is filtered. "/*" 

               catches all requests. Usually this filter mapping is defined first (before all

				wiki/info/landscape/usermanagement.md
			
          @@ -29,7 +29,7 @@ A web bundle that wants to use Shiro-based security and user management features

           	</listener>

           	<filter>

           		<filter-name>ShiroFilter</filter-name>

          -		<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

          +		<filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>

           	</filter>

           	<!--	Make sure any request you want accessible to Shiro is filtered. "/*" 

           		catches all requests. Usually this filter mapping is defined first (before all

				wiki/info/security/security.md
			
          @@ -27,7 +27,7 @@ Shiro security is largely configured by `shiro.ini` files in OSGi Web Bundlesand

           	</listener>

           	<filter>

           		<filter-name>ShiroFilter</filter-name>

          -		<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>

          +		<filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>

           	</filter>

           	<!-- Make sure any request you want accessible to Shiro is filtered. "/*" 

           		catches all requests. Usually this filter mapping is defined first (before all

...	...	@@ -27,7 +27,7 @@
27	27	</listener>
28	28	<filter>
29	29	<filter-name>ShiroFilter</filter-name>
30		- <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
	30	+ <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>
31	31	</filter>
32	32	<!-- Make sure any request you want accessible to Shiro is filtered. "/*"
33	33	catches all requests. Usually this filter mapping is defined first (before all

...	...	@@ -36,7 +36,7 @@
36	36	</listener>
37	37	<filter>
38	38	<filter-name>ShiroFilter</filter-name>
39		- <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
	39	+ <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>
40	40	</filter>
41	41	<!-- Make sure any request you want accessible to Shiro is filtered. "/*"
42	42	catches all requests. Usually this filter mapping is defined first (before all

...	...	@@ -24,7 +24,7 @@
24	24	</listener>
25	25	<filter>
26	26	<filter-name>ShiroFilter</filter-name>
27		- <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
	27	+ <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>
28	28	</filter>
29	29	<!-- Make sure any request you want accessible to Shiro is filtered. "/*"
30	30	catches all requests. Usually this filter mapping is defined first (before all

...	...	@@ -14,7 +14,7 @@
14	14	</listener>
15	15	<filter>
16	16	<filter-name>ShiroFilter</filter-name>
17		- <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
	17	+ <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>
18	18	</filter>
19	19	<!-- Make sure any request you want accessible to Shiro is filtered. "/*" catches all requests. Usually this filter mapping
20	20	is defined first (before all others) to ensure that Shiro works in subsequent filters in the filter chain: -->

...	...	@@ -25,7 +25,7 @@
25	25	</listener>
26	26	<filter>
27	27	<filter-name>ShiroFilter</filter-name>
28		- <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
	28	+ <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>
29	29	</filter>
30	30	<!-- Make sure any request you want accessible to Shiro is filtered. "/*"
31	31	catches all requests. Usually this filter mapping is defined first (before all

...	...	@@ -38,7 +38,7 @@
38	38	</listener>
39	39	<filter>
40	40	<filter-name>ShiroFilter</filter-name>
41		- <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
	41	+ <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>
42	42	</filter>
43	43	<!-- Make sure any request you want accessible to Shiro is filtered. "/*" catches all requests. Usually this filter mapping
44	44	is defined first (before all others) to ensure that Shiro works in subsequent filters in the filter chain: -->

...	...	@@ -32,7 +32,7 @@
32	32	</listener>
33	33	<filter>
34	34	<filter-name>ShiroFilter</filter-name>
35		- <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
	35	+ <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>
36	36	</filter>
37	37	<!-- Make sure any request you want accessible to Shiro is filtered. "/*"
38	38	catches all requests. Usually this filter mapping is defined first (before all

...	...	@@ -43,6 +43,7 @@ Web-ContextPath: /security
43	43	Export-Package: com.sap.sse.security,
44	44	com.sap.sse.security.impl;x-friends:="com.sap.sailing.domain.test,com.sap.sailing.server.testsupport",
45	45	com.sap.sse.security.jaxrs,
	46	+ com.sap.sse.security.shiro,
46	47	com.sap.sse.security.subscription,
47	48	com.sap.sse.security.subscription.chargebee,
48	49	com.sap.sse.security.util,

...	...	@@ -40,7 +40,7 @@
40	40	</filter-mapping>
41	41	<filter>
42	42	<filter-name>ShiroFilter</filter-name>
43		- <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
	43	+ <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>
44	44	</filter>
45	45	<!-- Make sure any request you want accessible to Shiro is filtered. "/*"
46	46	catches all requests. Usually this filter mapping is defined first (before all

...	...	@@ -0,0 +1,60 @@
	1	+package com.sap.sse.security.shiro;
	2	+
	3	+import java.io.IOException;
	4	+
	5	+import javax.servlet.ServletException;
	6	+import javax.servlet.ServletRequest;
	7	+import javax.servlet.ServletResponse;
	8	+import javax.servlet.http.HttpServletRequest;
	9	+
	10	+import org.apache.shiro.web.servlet.ShiroFilter;
	11	+
	12	+/**
	13	+ * A special {@link ShiroFilter} that disables itself for HTTP requests using the <tt>OPTIONS</tt>
	14	+ * method. This is useful because such requests are generally sent without authentication / authorization
	15	+ * information as all HTTP headers are usually stripped from these requests. Yet, browsers depend on
	16	+ * these "pre-flight" requests to succeed with a 2XX response status in order to continue with the real
	17	+ * request (which then uses proper <tt>Authorization</tt> headers).<p>
	18	+ *
	19	+ * Since responses to <tt>OPTIONS</tt> requests don't contain any payload in their body, ignoring the
	20	+ * authorization and authentication and instead returning full CORS headers is so intended and a 2XX
	21	+ * status is what helps browsers to continue the right way.<p>
	22	+ *
	23	+ * Use this in your web.xml file, e.g., like so:
	24	+ * <pre>
	25	+ * <filter>
	26	+ * <filter-name>ShiroFilter</filter-name>
	27	+ * <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>
	28	+ * </filter>
	29	+ * <filter-mapping>
	30	+ * <filter-name>ShiroFilter</filter-name>
	31	+ * <url-pattern>/*</url-pattern>
	32	+ * <dispatcher>REQUEST</dispatcher>
	33	+ * <dispatcher>FORWARD</dispatcher>
	34	+ * <dispatcher>INCLUDE</dispatcher>
	35	+ * <dispatcher>ERROR</dispatcher>
	36	+ * </filter-mapping>
	37	+ * </pre>
	38	+ *
	39	+ * @author Axel Uhl (d043530)
	40	+ *
	41	+ */
	42	+public class ShiroFilterForAllButOptionsRequests extends ShiroFilter {
	43	+ /**
	44	+ * Enables this filter for all request methods other than OPTIONS where
	45	+ * authentication information cannot be expected to be provided, yet as
	46	+ * no content will be delivered, the request shall not fail for lack of
	47	+ * proper authentication.
	48	+ */
	49	+ @Override
	50	+ protected boolean isEnabled(ServletRequest request, ServletResponse response) throws ServletException, IOException {
	51	+ final boolean result;
	52	+ if (request instanceof HttpServletRequest && ((HttpServletRequest) request).getMethod().equals("OPTIONS")) {
	53	+ result = false;
	54	+ } else {
	55	+ result = super.isEnabled(request, response);
	56	+ }
	57	+ return result;
	58	+ }
	59	+
	60	+}

...	...	@@ -29,7 +29,7 @@ A web bundle that wants to use Shiro-based security and user management features
29	29	</listener>
30	30	<filter>
31	31	<filter-name>ShiroFilter</filter-name>
32		- <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
	32	+ <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>
33	33	</filter>
34	34	<!-- Make sure any request you want accessible to Shiro is filtered. "/*"
35	35	catches all requests. Usually this filter mapping is defined first (before all

...	...	@@ -27,7 +27,7 @@ Shiro security is largely configured by `shiro.ini` files in OSGi Web Bundlesand
27	27	</listener>
28	28	<filter>
29	29	<filter-name>ShiroFilter</filter-name>
30		- <filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
	30	+ <filter-class>com.sap.sse.security.shiro.ShiroFilterForAllButOptionsRequests</filter-class>
31	31	</filter>
32	32	<!-- Make sure any request you want accessible to Shiro is filtered. "/*"
33	33	catches all requests. Usually this filter mapping is defined first (before all